On 2017-03-01 17:02, Franziska Lichtblau wrote: > On Wed, Mar 01, 2017 at 12:50:49PM +0100, Jeroen Massar wrote: >> On 2017-03-01 11:59, Franziska Lichtblau wrote: >> [..] >>>> Oh, and indeed, Switzerland is a bad place for BCP38, most networks >>>> allow spoofing on both IPv4 and IPv6. >>> >>> Which is "kinda good" for me cause only answers from people who are >>> implementing >>> all of that won't help us much understanding whats going on ;) >> >> That is not "kinda good" as it means that spoofing can happen easily and >> those kind of attacks are much harder to trace than ones that do proper >> full TCP (or heck UDP). > > You got me wrong there. I didn't mean to say it's good that the possibility > for spoofing is out there. What I meant to convey was, that if I only speak > to operators or regions where a ''perfect'' level of filtering is applied I > will not get meaningful insights about why it is not done everywhere and > how we can improve on that. > That's one of the biggest challenges - to actually talk to the people who are > not doing as we all would want them to.
The only place where a 'perfect level of filtering' is in place is Finland. And that is because FICORA (their ~BAKOM) has made BCP38 mandatory in 2014: https://www.viestintavirasto.fi/attachments/cert/tietoturvakatsaukset/Cyber_review_Q1_2014_EN.pdf And they have good successes with it. Google for the many reports about this by the great people from FICORA. The rest of the world, you will not find a lot of BCP38 to the joy of many many people who provide 'security services' (be that booters/testers/etc or the ones selling protection against ddos) >> But with this whole Mirai thing and hundreds of thousands of hosts being >> compromised of end-sites or Wordpress/Joomla/etc on servers with proper >> upstream connectivity, it really does not matter, as spoofing is not >> even really needed to properly DDoS any network, unless we are talking >> about distributed or properly anycasted networks. > > That is completely true. But that's a completely different problem (which I > used > to work on very superficially). One that I'd actually like to see fixed, but > I'm > not sure what a research perspective (which is the one I can offer) can help > there. I'm totally open to suggestions. Research unfortunately won't solve BCP38 deployment either. Regulatory enforcement like in Finland seems to be the only way. Like IPv6, as long as there is no real business interest -- read: money can be made from it nothing will happen. (the eyeball networks getting ddossed of the net by bots on their own network for instance would make a business interest, again *not a hint* ;) ) >> Eyeball networks though are both the source of many problems and when >> miscreants figure out they can take down an eyeball network (which >> cannot be protected with tricks like anycast and throwing more resources >> at it, as pipe full == pipe full... *not a hint* ;) ) and ransom those >> networks, lots of fun will happen. > > There are things you can not not think once you've thought about them once ;) > I agree - there's lots of potential fun out there.... > >> The fun part is then also that those networks will just not work, they >> will also get overloaded call centers which is amazing from a money >> perspective thus it will do a lot of damage. >> >> But maybe then those eyeball networks finally will start taking action >> in cleaning up their userbase, thus IMHO, it can't happen early enough >> as then we finally will have a proper Internet where that nonsense gets >> taken care of instead of just ignored... > > The problem is always, that people need incentives - there's a good amount > of people that you can get with the global idea of a well working community... That does not make a business incentive aka earning money though. > but sadly not all of them. That's one of the reasons why we ask what are the > incentives of people who try to keep their network clean and now we can > lower the bars for those who are not yet there. Make a business case and then convince the management of ISPs about the risk of the Mirai hosts (and many others) in their network. Because of Mirai existing though, BCP38 would not do anything to stop that, thus you'll have to find a better example botnet that actually spoofs. As long as Mirai and friends exist, spoofing is not needed and thus BCP38 only solves a little bit of a puzzle unfortunately. As I note above: Regulatory requirement are likely the only way. Greets, Jeroen _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
